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ABSTRACT 



A method of masking a conditional jump operation in a cryptographic processor, 
wherein program execution jumps to one of two branches dependent on a first or second 
condition of a distinguishing value V relative to a reference wherein the reference is bounded 
by an upper limit Vmax and a lower limit Vmin. The method comprising the steps of 
determining the location of a conditional jump and inserting code thereat for executing 
instructions to change program execution to a respective one of the two branches by using 
said distinguishing value and a base address to compute a target address, wherein for each 
evaluation of said condition a different number of instructions are executed, thereby 
minimizing the effectiveness of a differential power attack. 
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METHOD AND APPARATUS FOR MINIMIZING DIFFERENTIAL POWER ATTACKS 

ON PROCESSORS 

This invention relates to cryptographic systems and in particular to a method and 
5 apparatus for minimizing successful power analysis attacks on processors. 

BACKGROUND OF THE INVENTION 

Cryptographic systems generally owe their security to the fact that a particular piece of 
information is kept secret, without which it is almost impossible to break the scheme. This 

10 secret information must generally be stored within a secure boundary, making it difficult for 
an attacker to get at it directly however, various schemes or attacks have been attempted in 
order to obtain the secret information. Of particular risk are portable cryptographic tokens, 
including smart cards and the like. Of the more recent attacks performed on these particularly 
vulnerable devices are simple power analysis, differential power analysis, higher order 

1 5 differential power analysis and other related techniques. These technically sophisticated and 
extremely powerful analysis tools can be used by an attacker to extract secret keys from 
cryptographic devices. It has been shown that these attacks can be mounted quickly and can 
be implemented using readily available hardware. The amount of time required for these 
attacks depends on the type of attack and varies somewhat by device. For example it has been 

20 shown that a simple power attack (SPA) typically take a few seconds per card, while the 
differential power attacks (DP A) can take several hours. 

Encryption operations are performed in a processor operating in a sequential manner 
by performing a sequence of fundamental operations, each of which generates a distinct 
timing pattern. Laborious but careful analysis of end-to-end power waveforms can 

25 decompose the order of these fundamental operations performed on each bit of a secret key 
and thus be, analyzed to find the entire secret key, compromising the system. 

In the simple power analysis (SPA) attacks on smart cards and other secure tokens, an 
attacker directly measures the token's power consumption changes over time. The amount of 
power consumed varies depending on the executed microprocessor instructions. A large 

30 calculation such as elliptic curve (EC) additions in a loop and DES rounds, etc, may be 
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identified, since the operations performed with a microprocessor vary significantly during 
different parts of these operations. By sampling the current and voltage at a higher rate, i.e., 
higher resolution, individual instructions can be differentiated. 

The differential power analysis attack (DP A) is a more powerful attack than the SPA 
5 and is much more difficult to prevent. Primarily, the DPA uses statistical analysis and error 
correction techniques to extract infonnation which may be correlated to secret keys, while the 
SPA attacks use primarily visual inspection to identify relevant power fluctuations. The DPA 
attack is performed in two steps. The first step is recording data that reflects the change in 
power consumed by the card during execution of cryptographic routines. In the second step, 

10 the collected data is statistically analyzed to extract information correlated to secret keys. A 
detailed analysis of these attacks is described in the paper entitled "Introduction to 
Differential Power Analysis and Related Attacks" by Paul Kocher et al 

Various techniques for addressing these power attacks have been attempted to date. 
These include hardware solutions such as providing well-fihered power supplies and physical 

1 5 shielding of processor elements. However, in the case of smart cards and other secure tokens, 
this is unfeasible. The DPA vutaerabilities result from transistor and circuit electrical 
behaviors that propagate to expose logic gates, microprocessor operation and ultimately the 
software implementations. 

In software implementation of cryptographic routines, particularly on smart cards, 

20 branches in program flow are particularly vulnerable to power analysis measurements. 

Generally, where the program flow reaches a branch, then based on some distinguishing value 
V, one of two branches of the program is executed. To distinguish between the two possible 
cases, y is compared with a threshold value and a jump to one of two locations is executed as 
a resuh of the comparison. This is illustrated by referring to figure 1, where a flow diagram 

25 showing the implementation of a typical conditional jump according to the prior art is shown 
generally by 10. Generally a conditional jump implements an "IF condition THEN 
statementl ELSE statement2 " clause. In this case, the flow diagram indicates a scenario 
where a distinguishing value V varies within a range and the condition is whether a threshold 
value TH is crossed by the distinguishing value V or not. The threshold TH is a random 

30 number between an upper limit and a lower limit VMAX and VMIN, respectively. Thus, it 
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may be seen in figure 1 if V < TH the program executes statements 1 or if V > TH, the 
program executes statements!. This may be repeated for all values of V from VMIN to 
VMAX. 

As outlined earlier by utilizing a simple power analysis technique, it is possible for an 
5 observer to distinguish whether the "IF" brtmches or the "ELSE" branch is being executed. 
This however, does assume that the statements! and statements! consist of two identical sets 
of instructions that serve different purposes. Power or current consumption measurements 
on some smart cards can reveal which branch was taken. In some cases, some status flags on 
the chip may be set or reset. These flags may also be used for SPA. 
10 Accordingly, there is a need for a system for reducing the risk of a successful power 

analysis attacks and which is particularly appHcable to current hardware environments. 

SUMMARY OF THE INVENTION 
15 It is an object of this invention to provide a method for minimizing power analysis 

attacks on processors. 

In accordance with this invention there is provided a method of masking a conditional 
jump operation in a processor, wherein program execution jumps to one of two branches 
dependent on a first or second condition of a distinguishing value V relative to a reference 
20 value and wherein the reference is bounded by an upper limit Vmax and a lower limit Vmin, 
the method comprising the steps of : 

determining the location of a conditional jump; and 

inserting code thereat for executing instructions to change program execution to a 
respective one of the two branches by using said distinguishing value and a base address to 
25 compute a target address, wherein for each evaluation of said condition a different number of 
instructions are executed, thereby minimizing the effectiveness of a differential power attack. 

In a further embodiment the distinguishing value is combined with a random value, 
thereby adding a random number of instructions on every condition evaluation. 

30 . 
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BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become 
more apparent in the following detailed description in which reference is made to the 
appended drawings wherein: 
5 Figure 1 is schematic diagram of a conditional operation; 

Figure 2 is part of a computer program according to an embodiment of the present 
invention; 

Figure 3 is part of a computer program according to a further embodiment of the 
present invention; 

10 Figure 4 is part of a computer program according to a still further embodiment of the 

present invention; and 

Figure 5 is a flow diagram illustrating another embodiment of the invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

1 5 Referring to figure 2, a schematic diagram of a method for masking conditional jump 

statements in a computer program, according to an embodiment of the present invention, is 
shown generally by numeral 50, We assume that the following code fragments are executed 
by a processor and that a distinguishing value V varies within a known range and the 
condition is whether a threshold value TH is crossed by the distinguishing value V or not. 

20 The threshold TH is a random number in the known range having an upper limit and a lower 
limit VMAX and VMIN, respectively. In a generalized embodiment, the method comprises 
the steps of identifying a location for a conditional jump operation, and inserting at the 
location a call 52 to a subroutine 54, the subroutine 54 including instructions for changing the 
return address of the subroutine to one of two program branches to execute branch 

25 statements! or branch statements! in response to the result of a comparison of the 
distinguishing value V to the threshold value. 

As may be seen in figure 2, the location of the conditional jump that is replaced is 
identified by code block a. The subroutine is identified as IRRITATE_1 (54) and includes 
code blocks identified as b, c, d and e. The code block c includes a first and second sections 

30 56 and 58, respectively. The start address of the second section 58 is predetermined and is 
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indicated by the value KNOWN^DISPLACEMENT. The start address of the first section 56 
is then determined by the difference between KNOWN_DISPLACEMENT and the upper 
limit of the distinguishing value V. The first section 56 consists of a series of imconditional 
jumps to an address LI and the second section 58 consists of a series of unconditional jumps 
5 to an address L2. The locations LI and L2 contain code for returning program flow to 
execute statements 1 and statements! respectively. The code block b included in the 
subroutine TRRITATE_1 includes code for computing a difference between the 
KNOWN^DISPLACEMENT address and the THRESHOLD. The resulting address is then 
added to the distinguishing value V to derive a target address location in one of the sections 
10 56 or 58. 

As may be seen in block a the distinguishing value V is preserved while calling the 
subroutine, which in turn does not contain any conditional jumps. In this subroutine we 
change the return address of the subroutine (which resides on the stack) depending on whether 
V is below or above TH in such a way that, after returning firom the subroutine, the program 

15 will continue execution in the desired branch. 

An addressing mode known as extended addressing is used to determine the target 
address. With extended addressing the address at which the execution of the program has to 
continue is computed as the sum of the content of two registers. For example JMP 
@A+DPTR in the assembly language of the Intel 8051 family means that the address at which 

20 the program execution has to continue is computed by adding the content of the accumulator 
A and the data pointer DPTR. Other processors may support similar mechanisms for 
addressing. The code firagments shown in figure 2 illustrate the method. To refer to lines of 
these code fragments we use labels consisting of a letter and a number. Thus to implement 
this method we have to specify: 

25 a) the address at which the block of code 56 is going to reside. That would be the address 
of the first JMP LI; 

b) the range of the distinguishing value V; and 

c) the maximum value of the random threshold TH. This maximum value or a value 
derived from it will define the size of the code block containing the JMP LI and JMP L2 

30 instructions. 
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The operation of the code fragments shown in figure 2 will be discussed below. The 
code fragments may be located within a loop, which sequentially changes the value of V in a 
given range for iterations of the loop. For example V may the value of the loop coimter. The 
goal is to continue execution at the label DO_REAL, line dl, as long as V<THRESHOLD 
5 and continue execution of instructions at the label DO_VOID , line el , for V>= 
THRESHOLD. 

As mentioned earlier the THRESHOLD value is a random value within the known 
range of Vmin and Vmax. At line al the distinguishing value V is stored in the accumulator 
of the processor and the subroutine IRRITATE_1 is called at line a2. The return address from 
10 this subroutine will be line a3, which is automatically stored on the stack by the processor. 

The KNOWN_DTSPLACEMENT in line bl is a constant value that specifies the 
beginning location of the second section 58 and indicates the address of line c9. Thus 
KNOAVN__DISPLACEMENT-Vmax is the address of line cl, the beginning location of the 
first section 56. 

1 5 In Block b the value of KNOWN_DISPLACEMENT is stored in a register at line b 1 . 

Next at line b2 the register is updated with the difference of KNOWN_^DISPLACEMENT and 
THRESHOLD. This difference is moved to in DPTR at line b3. Thus, DPTR contains the 
address of one of the lines cl through c8 in block c. For example for THRESHOLD = 3 
DPTR would point to line c6. Assume next V and thus the contents of the accumulator can 

20 vary from 0 (Vmin) to 7 (Vmax). Then since DPTR may vary from the address of cl to c8, 
the address @A+DPTR computed at line b4 can vary from the address of line c6 through cl2 
as V varies from 0 to7. Therefore, for V<3 the JMP LI instructions in the first section will be 
executed and for V>= 3 the JMP L2 instructions in the second section will be executed. 

The labels LI and L2 point to addresses located at lines cl7 and c21 respectively. In 

25 lines cl 7 through c 19 the return address of the subroutine IRRITATE_1 is retrieved and 
changed such that the program counter will point to line a3 after returning from the 
subroutine. In lines c21 through c23 the return address of the subroutine IRRITATE l is also 
retrieved and changed such that the program counter will point to line a4 after returning from 
the subroutine. The simple jump instructions at lines a3 and a4 
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It may be noted that the actual distinction between the two branches to be taken is 
decided at lines cl8 and c22 where the retrieved subroutine return address is changed to the 
appropriate line in block a. In the present embodiment values of 0 and 1 have been chosen 
since the redirection jump instructions were located immediately after the call instruction to 
5 the subroutine IRRITATE^l, at Imes a3 and a4 respectively. In other implementations 

different values with equal nimiber of I's in their binary presentation may be used so that an 
the difference in the add operations at lines cl 8 and c22 is indistinguishable to an attacker. In 
this case an appropriate number of NOP's would be added to code block a in order to adjust 
the return addresses. 

10 Furthermore, the jump instructions in lines a3 and a4, which redirect program flow to 

statements 1 and statements! respectively, should be placed at addresses with the same 
number of I's in their binary representation. This would result in homogenous power 
consumption on the address bus while addressing these two different locations. The same 
precaution applies to the lines dl and el, the beginning location of statements! and 

15 statements! respectively. In addition, in line b2 special attention should be paid to the choice 
of values of THRESHOLD and KNOWN_DISPLCEMENT to avoid changes in flags in the 
processors status word while the SUB instruction is being executed. 

Referring to figure 3, a second embodiment of the present invention is shown 
generally by numeral 100. This embodiment also utilizes extended addressing as described 

20 earlier. Again, assembly language of the Intel 8051 family of processors is used to illustrate 
the method. For clarity the symbols opl through op7 are used to represent program 
instructions. In this embodiment, the distinguishing value V is one of two distinct values 
Vmax and Vmin, rather than a range of values. Thus, the condition in this case is when the 
distinguishing value V is one or the other of the distinct values Vmax or Vmin. Once again a 

25 call to a subroutine is inserted at a conditional jump location, the subroutine including 

instructions for changing the return address of the subroutine to one of two program branches 
to execute branch statements! or branch statements! in response to the distinguishing value V 
being one of the two distinct values Vmax or Vmin. 

As may be seen in figure 3, the location of the conditional jump that is replaced is 

30 identified by code block f The subroutine is identified as IRRITATE_2 (102) and includes 
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code blocks identified as blocks g and h. The code block h also includes first and second 
sections 106 and 108, respectively. Each of the sections contain a series of dummy 
operations opl indicated at lines hi through h7 and at lines hl2 through hi 8. Each of the 
sections is terminated by a sequence of instructions for retrieving the return address of the 
5 subroutine IRRITATE_2 and changing it such that the program counter will point to line f4 or 
f5 after returning firom the subroutine. The lines f4 and f4 include jumps to one of the two 
branches indicated as block i and block j which contain statements! and statements! 
respectively. 

The target destination address is comprised of two components, namely the 

10 distinguishing value V or a value derived firom V and a random number 

MASKED_RANDOM, that are added at line gl . The beginning address of the first and 
second sections are chosen such that this target address is either in the range of lines hi 
through h8 or hl2 through hi 9. Since, the second component of the target address is a 
random number, a random number of dummy operations will be executed before the return 

15 address of the subroutine IRRITATE_2 is computed at lines h8 to hlO (or hl9 to h21). 

As in the previous embodiment the ADD values at lines h9 and h20 may be chosen to 
have the same hamming weight(number of I *s), with appropriate number of NOP instructions 
added to block f In addition the jump instructions at lines f4 and f5 may be placed at 
addresses with the same number of one's. Additional JMP instructions may also be inserted 

20 between the lines hi and hS with a destination in the same segment. 

This embodiment thus uses unconditional jumps instead of conditional jumps and adds 
a random number of dummy operations to the code. The former property is a countermeasure 
against SPA and the latter makes DPA attacks more difficult. In particular this embodiment 
adds a random mask or noise to the program execution path since the jump to a random 

25 address within a segment causes program execution of a random number of operations before 
one of the branches is executed. Therefore each time one of the branches is executed, the 
number of operations performed by the processor varies randomly making DPA attacks more 
difficult. 
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In the above embodiments, a subroutine is used to redirect program flow, however in 
figure 4, a simple series of jumps are used. The invention is thus not restricted to the 
embodiments shown. 

Referring to figure 5 an embodiment of a method for masking a private key or secret 
5 used in a cryptographic operation is shown generally by numeral 200. The method comprises 
the steps of dividing the key into a plurality of parts and combining with each part a random 
value modulo n (where n is the number of points on the elliptic curve) to derive a new part 
such that the new parts are combined to be equivalent to the original private key value and 
utilizing each of the individual parts in the operation. 
10 As seen in figure 5, the cryptographic processor is initialized with the public key or 

secret value d. In computing a pubhc key Q = dP, the secret key d is normally combined with 
the point P to derive dP. The value d is divided into a number of parts, eg d = bio + b2o. 

In a first step the bi's are initialized bi = bio and b2=b2o such that d == bio + b2o. These 
values of bi and b2 are stored instead of d. Alternatively the d value may also be stored if so 
1 5 desired, however in the case of a smart card where memory is limited this may not be 
desirable. 

At a next step, a random number n is generated and the values bl and and b2 are 
updated as follows: 

bl = bl + 71 mod n 
20 b2 = ba - 71 mod n 

The updated values of bi and b2 are stored. Computation is then performed on the 
point P using the components bi and b2 as follows: 
dP mod n = biP + b2P mod n 

Thus assuming the value n is randomly generated for each session then an attacker is 
25 unlikely to observe a predictable power signature. 

In a typical application of the present invention a signature component s has the form:- 
s = ae + k (modn) 

where: 

P is a point on the curve which is a predefined parameter of the system; 
30 k is a random integer selected as a short term private or session key; 

9 
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R = kP is the corresponding short term public key; 
a is the long term private key of the sender; 
Q == aP is the senders corresponding public key; 

e is a secure hash, such as the SHA-l hash function, of a message m and the short term 
5 public key R; and 

n is the order of the curve. 

The sender sends to the recipient a message including m, s, and R and the signature is 
verified by computing the value = (sP-eQ) which should correspond to R. If the computed 
values correspond then the signature is verified. Both the secret keys in the above example 
10 may be masked using the method of the present invention. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
departing firom the spirit and scope of the invention as outlined in the claims appended hereto. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A method of masking a conditional jump operation in a cryptographic processor, 
wherein program execution jumps to one of two branches depending on a first or 
second condition of a distinguishing value V relative to a reference wherein the 
reference is bounded by an upper limit Vmax and a lower limit Vmin, the method 
comprising the steps of: 

(a) determining the location of a conditional jump; and 

(b) inserting code thereat for executing instructions to change program execution to a 
respective one of the two branches by using said distinguishing value and a base 
address to compute a target address, wherein for each evaluation of said condition a 
different number of instructions are executed, thereby minimizing the effectiveness of 
a differential power attack. 

2. A method as defined in claim 1, said distinguishing value being combined with a 
random value, thereby adding a random number of instructions on every condition 
evaluation. 
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LINE# 


SOURCE TEXT 


1 


TH = a random number between VMIN and VMAX 




2 


rUK V iTOm VMIN to VMAX do 




3 


IFV<THTHEN 




4 


DO statements 1 


{branch I } 


5 


ELSE 




6 


DO statements! 


{branchJ} 


7 


OF 





JO 

Figure 1 
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Line# 


Source Text 


Comment 


aJ 
a2 
a3 
a4 


MOV A,V ^ 
CALL IRRITATE I^ 
JMP DO REAL 
JMP DO VOID 


Block a 


bl 
b2 
b3 
b4 


IRRITATEJ: 


MOVRO.KNOm/ DISPUCEMENT 
SUB ROJHRESHOLD 
MOVDPTR.R0 
JMP@A-^DTPR 


] 


Block b 


cl 
c2 
c3 


JMP LI '-^ 
JMP LI 
JMP LI 
JMP LI 1 
JMP LI 
JMP LI 
JMP LI 
JMP LI ^ 


( 




Block c 


c4 
c5 
c6 
c7 
c8 


r 




c9 
clO 

ClI 

cl2 
cI3 
cI4 
cl5 


JMP L2 
JMP L2 
JMP L2 i 
JMP L2 
JMP L2 
JMP L2 
JMP L2 
JMP L2 ^ 








c/7 
cJ8 
cI9 
c20 
c2I 
c22 
c23 
c24 


LI: 
L2: 


POP A 
ADD m 
PUSH A 
RET 
POP A 
ADD #y 
PUSH A 
RET 




[ 




ill 
d2 


DOJiEAL: 


Statements! 






Block d 


el 
e2 


DOyOID: 


Statements2 






Block e 



50 



Figure 2 
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Line # 


Source Text 


Comments 


fl 

fl 
fl 
fl 


MOV A.y 

MOV DPTRMASKED RANDOM 
CALL IRRITATE 2 
JMP DO REAL 
JMP DO VOID 


Block/ 




IRRITATE J: 


JMP %A+DPTR 




Block g 


hi 

1x2 

h3 

h4 

h5 

h6 

h7 

h8 

h9 

hlO 

hll 


opi -\ 
op2 

op3 / 

op6 I 
opl 
POP A 
ADD HO \ 

RET U 




Block h 


hl2 

his 

hl4 
hI5 
hI6 
hi? 
hI8 
h!9 
h20 
h2l 


opi ^ 
op2 ] 

op4 L rsj \0^b 

op5 1 

op6 

op7 

POP A 

ADD UI 

PUSHA 

RET 1 ^ 






il 
i2 


DO_REAL: 


Statements i 




Block i 


Jl 
fl 


DO_VOID: 


Statements2 




Block j 



Figure 3 
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Line # 


Source Text 


Comments 




MOV A.V 


Block k 




JMP IRRITATEJ 






IRRITATE I: MOV RO^KNOWN DISPLACEMENT 


Block I 




SUB RO, THRESHOLD 






MOVDPTR,R0 






JMP@A'^DTPR 






JMP DO VOID 






JMP DO VOID 






JMP DO VOID 






JMP DO VOID 






JMP DO VOID 






JMP DO~VOID 






JMP DCTVOID 






JMP DO VOID 






KNOWN DISPLACEMENT: 






JMP DO REAL 






JMP DOJIEAL 






JMP DO REAL 






JMP DO REAL 






JMP DO REAL 






JMP DO REAL 






JMP DO REAL 






JMP DOJiEAL 






DO_REAL: 


Block m 




DO_VOID: 


Block n 



Figure 4 
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Initialize processor: 
d,P 






f 




Generate d = I bi 










Generate random ti 






Compute d P = 


Z (bi ± 71 )P mod n 





Figure 5 



